Help Center> Virtual Private Network> Troubleshooting> Classic VPN> Common Check Items
Updated on 2023-06-16 GMT+08:00
View PDF

Common Check Items

VPN connections fail or cannot be pinged when configurations (such as the negotiation policy, firewall, route table, interzone policy, NAT configuration, and security group) are incorrect.

Check the following configurations.

Checking the Negotiation Information on Both Sides of a VPN Connection

  • Ensure that the PSKs of the two sides are the same.
  • Ensure the IKE policies and the IPsec policies of the two sides are the same.
  • Local and remote subnets are matched pairs.

Checking the Configurations of the Firewall on Your Local Network and the Security Group on Huawei Cloud

  • Ensure that data packets from your network are allowed to the VPC subnet on Huawei Cloud.
  • Ensure that data packets from the VPC subnet on Huawei Cloud are allowed to your network.

Checking the Firewall Route Table

Verify that there is a route whose destination is the VPC subnet on Huawei Cloud.

  • Ensure that a route table contains the route to the target network on Huawei Cloud.
  • Ensure that the forwarding table of the route works properly.

    Incorrect route configurations:

    1. The destination CIDR block is different from the VPC CIDR block. In this case, traffic destined to Huawei Cloud cannot be routed to the public network interface configured with the IPsec policy.
    2. The outbound interface rather than the next hop is specified when configuring a static route.

      On an Ethernet network, the outbound interface cannot learn the ARP entries from the remote side, leading to route forwarding failure.

    3. The VPN gateway address on Huawei Cloud is specified as the next hop of the route.

      Some non-Huawei devices do not support automatic route recursion. VPN traffic is sent from the public network interface. Therefore, the next hop must be the gateway address provided by the carrier.

Checking the Firewall Inter-zone Policy

  • From the Trust zone to the Untrust zone: Allows access from your local network to the VPC subnet on the cloud.
  • From the Untrust zone to the Trust zone: Allows access from the VPC on the cloud to your local network.

Checking the NAT Configurations on the Firewall

Check whether the local VPN gateway is behind the NAT device (usually the border firewall). That is, the outbound interface of the VPN gateway uses a private IP address, and then it is translated into a public IP address by the NAT device.

This scenario is also called IPsec NAT traversal.

Parent topic: Classic VPN